public inbox for bitcoindev@googlegroups.com
 help / color / mirror / Atom feed
From: Anthony Towns <aj@erisian.com.au>
To: Russell O'Connor <roconnor@blockstream.io>
Cc: Bitcoin Protocol Discussion <bitcoin-dev@lists.linuxfoundation.org>
Subject: Re: [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY)
Date: Fri, 21 Jun 2019 08:05:52 +1000	[thread overview]
Message-ID: <20190620220552.metrqaul3iporwma@erisian.com.au> (raw)
In-Reply-To: <CAMZUoK=ZB06jwAbuX2D=aN8ztAqr_jSgEXS1z1ABjQYVawKCBQ@mail.gmail.com>

On Tue, Jun 18, 2019 at 04:57:34PM -0400, Russell O'Connor wrote:
> So with regards to OP_SECURETHEBAG, I am also "not really seeing any reason to
> complicate the spec to ensure the digest is precommitted as part of the
> opcode."

Also, I think you can simulate OP_SECURETHEBAG with an ANYPREVOUT
(NOINPUT) sighash (Johnson Lau's mentioned this before, but not sure if
it's been spelled out anywhere); ie instead of constructing

  X = Hash_BagHash( version, locktime, [outputs], [sequences], num_in )

and having the script be "<X> OP_SECURETHEBAG" you calculate an
ANYPREVOUT sighash for SIGHASH_ANYPREVOUTANYSCRIPT | SIGHASH_ALL:

  Y = Hash_TapSighash( 0, 0xc1, version, locktime, [outputs], 0,
                       amount, sequence)

and calculate a signature sig = Schnorr(P,m) for some pubkey P, and
make your script be "<sig> <P> CHECKSIG".

That loses the ability to commit to the number of inputs or restrict
the nsequence of other inputs, and requires a bigger script (sig and P
are ~96 bytes instead of X's 32 bytes), but is otherwise pretty much the
same as far as I can tell. Both scripts are automatically satisfied when
revealed (with the correct set of outputs), and don't need any additional
witness data.

If you wanted to construct "X" via script instead of hardcoding a value
because it got you generalised covenants or whatever; I think you could
get the same effect with CAT,LEFT, and RIGHT: you'd construct Y in much
the same way you construct X, but you'd then need to turn that into a
signature. You could do so by using pubkey P=G and nonce R=G, which
means you need to calculate s=1+hash(G,G,Y)*1 -- calculating the hash
part is easy, multiplying it by 1 is easy, and to add 1 you can probably
do something along the lines of:

    OP_DUP 4 OP_RIGHT 1 OP_ADD OP_SWAP 28 OP_LEFT OP_SWAP OP_CAT

(ie, take the last 4 bytes, increment it using 4-byte arithmetic,
then cat the first 28 bytes and the result. There's overflow issues,
but I think they can be worked around either by allowing you to choose
different locktimes, or by more complicated script)

Cheers,
aj



  reply	other threads:[~2019-06-20 22:06 UTC|newest]

Thread overview: 17+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-06-01  5:35 [bitcoin-dev] OP_SECURETHEBAG (supersedes OP_CHECKOUTPUTSVERIFY) Jeremy
2019-06-02  5:35 ` ZmnSCPxj
2019-06-02 14:32 ` Russell O'Connor
2019-06-02 21:32   ` Jeremy
2019-06-05  9:30 ` Anthony Towns
2019-06-06  7:30   ` ZmnSCPxj
2019-06-18 20:57     ` Russell O'Connor
2019-06-20 22:05       ` Anthony Towns [this message]
2019-06-23  6:43         ` Jeremy
2019-07-08 10:26           ` Dmitry Petukhov
2019-10-03 23:22             ` Jeremy
     [not found]       ` <CAD5xwhj8o8Vbrk2KADBOFGfkD3fW3eMZo5aHJytGAj_5LLhYCg@mail.gmail.com>
2019-06-23 13:11         ` ZmnSCPxj
2019-06-24 14:34         ` Russell O'Connor
2019-06-24 18:07           ` Jeremy
2019-06-24 18:48             ` Russell O'Connor
2019-06-24 22:47               ` Jeremy
2019-06-25 17:05                 ` Russell O'Connor

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190620220552.metrqaul3iporwma@erisian.com.au \
    --to=aj@erisian.com.au \
    --cc=bitcoin-dev@lists.linuxfoundation.org \
    --cc=roconnor@blockstream.io \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox